Phishing, Personality Traits and Facebook 



Tzipora Halevi 

Electrical and Computer 
Engineering 
Polytechnic Institute of New 
York University 
Six MetroTech Center 
Brooklyn, NY 11201 

thalevOI @students.poly.edu 



James Lewis 

Technology Culture and 
Society 
Polytechnic Institute of New 
York University 
Six MetroTech Center 
Brooklyn, NY 11201 
JLewis@Poly.edu 



Nasir Memon 

Computer Science 
Polytechnic Institute of New 
York University 
Six MetroTech Center 
Brooklyn, NY 11201 
memon@nyu.edu 



ABSTRACT 

Phishing attacks have become an increasing threat to online users. 
Recent research has begun to focus on the factors that cause people 
to respond to them. Our study examines the correlation between 
the Big Five personality traits and email phishing response. We 
also examine how these factors affect users behavior on Facebook, 
including posting personal information and choosing Facebook pri- 
vacy settings. 

Our research shows that when using a prize phishing email, we 
find a strong correlation between gender and the response to the 
phishing email. In addition, we find that the neuroticism is the 
factor most correlated to responding to this email. Our study also 
found that people who score high on the openness factor tend to 
both post more information on Facebook as well as have less strict 
privacy settings, which may cause them to be susceptible to privacy 
attacks. In addition, our work detected no correlation between the 
participants estimate of being vulnerable to phishing attacks and 
actually being phished, which suggests susceptibility to phishing is 
not due to lack of awareness of the phishing risks and that real-time 
response to phishing is hard to predict in advance by online users. 

We believe that better understanding of the traits which con- 
tribute to online vulnerability can help develop methods for increas- 
ing users' privacy and security in the future. 

Categories and Subject Descriptors 

H. 5.m. [Information Interfaces and Presentation (e.g. HCI)]: 

Miscellaneous 

General Terms 

Security, Human Factors 

Keywords 

Facebook, Privacy, Phishing, Personality traits 

I. INTRODUCTION 



Permission to make digital or hard copies of all or part of this work for 
personal or classroom use is granted without fee provided that copies are 
not made or distributed for profit or commercial advantage and that copies 
bear this notice and the full citation on the first page. To copy otherwise, to 
republish, to post on servers or to redistribute to lists, requires prior specific 
permission and/or a fee. 

Copyright 20XX ACM X-XXXXX-XX-X/XX/XX ...$15.00. 



With the increased popularity of the internet, people spend more 
time online. Among the more popular online activities are email 
communication as well as participating in social networks, such 
as Facebook. As a result, email attacks and privacy threats pose 
increasing security concerns for online users. 

One such threat is phishing email attacks. These attacks attempt 
to acquire personal information, such as user-name and passwords, 
through fraudulent emails and represent a form of social engineer- 
ing techniques used to deceive users. Phishing attacks have been 
on the rise in the last few years, with phishing emails becoming 
more targeted, using personal information about their intended vic- 
tims, in an attempt to seem like authentic emails and improve the 
response rate to the attacks. 

In this work, we set out to investigate the connection between 
Phishing vulnerability, personality traits and Facebook activity. For 
this purpose, we present a study that examines how psychological 
traits correlate to deception detection and phishing response. We 
also examine the tendency to post personal information on Face- 
book and how it relates to certain psychological traits as well as 
responding to phishing emails. 

Our work follows the hypothesis that responding to phishing 
emails represents an error in judgment, which is due to certain emo- 
tional biases. The ability to provoke such emotional triggers may 
be connected to the specific personality traits, where people who 
score high on certain traits may be more likely to fall victims to 
such attacks. 

Further, the ways in which personality traits manifest themselves 
in off-line behavior could have a similar affect on online behavior 
as well. Previous studies linked neuroticism to the tendency to be- 
lieve people (and failure to detect lies). Premeditation was linked 
to the ability to point to suspicious scam messages (when examined 
off-line), which may affect vulnerability to online phishing scams 
as well. 

Despite the rise in phishing attacks, their connection to psycho- 
logical factors and to social networks behavior has not been thor- 
oughly explored. Identifying the personality characteristics that 
may cause higher vulnerability to online threats is an important 
step in creating defenses and protecting users from email attacks 
and online privacy threats. 

1.1 Scams and Personality 

In classical decision theory, decision making under risk is as- 
sumed to be based on pure logic. Under these assumptions, rea- 
sonable people make rational choices based on objective factors. 
However, Kahneman et al. |17| have shown that people's decisions 
tend to be biased and are not purely logical. 

A scam is a pretense in which a fraudulent attacker attempts to 
extract valuable information or monetary gain from the victim. A 



response to scam can be viewed as a decision error, where the user 
does not estimate correctly the risk, due to certain biases. 

The popularity of different scams is due to the fact that a certain 
percentage of people tend to fall for them. They provide the mali- 
cious attacker with an opportunity to steal the victim's personal in- 
formation. In addition, many scams attempt to get money directly 
from the scam victims. 

Scams appeal to different human vulnerabilities, such as the de- 
sire for immediate gain, the desire to help people (which causes 
African scams to be successful) and the desire to be liked by the 
scam initiators. It has been suggested that certain people have "vic- 
tim personalities" that make them more vulnerable to scams. These 
victims may fall for scams repeatedly. 

Studies of the psychology of scams show that victims often re- 
spond to emotional triggers. These triggers include greed, fear, 
heroism and desire to be liked. People also tend to obey authority, 
and scams which use authoritative words (such "official") are more 
likely to get response. Another factor (which is also used in tradi- 
tional marketing) is making an opportunity seem scarce, or getting 
the scam victim to feel he made a commitment, by responding to 
the scam offer. 

One of the factors that may make it more likely for certain people 
to become victims is the lack of emotional control. A research by 
the University of Exeter [ 27 ] , examined the reasons for the lapses of 
judgment by scam victims and was based on interviews and ques- 
tionnaires filled by scam victims and examination of current scams. 
It found that scam victims reported being unable to resist respond- 
ing to persuasion and being undiscriminating about the offers they 
respond to. The research suggests people who are socially isolated 
may be more vulnerable to responding to scams. Victims response 
also indicated that some of the people viewed responding to the 
scam as taking a gamble, where their initial investment in the scam 
is small in comparison to the larger prize. One of the study con- 
clusions was that there is a particular segment of people (about 10- 
20% percent of the population) who are particularly vulnerable to 
scams. Some people become serial scam victims, who fall repeat- 
edly for scams. 

In |19| , Langenderfer et al. identified the fact that scam mes- 
sages often attempt to present a unique opportunity and require ur- 
gent response. These techniques are used in legitimate sales and 
marketing as well and are believed to be effective. 

One of the defenses against scams is consumer education. How- 
ever, since scams continue to change, educating the population 
about existing scams will have limited effect. This can be evi- 
denced by spear phishing attacks, which are a new generation of 
email targeted attack. These attacks are more sophisticated than 
traditional phishing attacks and are harder to detect by the users. 

Research into lie detection by Enos et al. |10| also found that 
people who scored high on neuroticism had a significantly worse 
probability of detecting lies and had a tendency to overestimate the 
level of truth in other people's responses, neuroticism may cause 
people to be more upset when being lied to and therefore cause 
people to prefer believing that other people are generally truthful. 
This may indicate that people with a high level of neuroticism may 
be more vulnerable to scams in general. On the other hand, agree- 
ableness was positively correlated to successful lie detection. This 
may indicate that people with this trait are more compassionate and 
sensitive to other people's responses. 

The relationship between personality and scam victims has been 
further explored in (23). In this paper, people were shown dif- 
ferent offers and were asked to identify which ones were scams. 
Scam victims were identified as having certain personality traits. 
Specifically, premeditation (which is part of the impulsivity test) 



was highly correlated to avoiding scams. Extroversion also was 
detected as a predictor to avoiding scams. Introvert people may be 
more likely to fall to scams due to their preference for internet com- 
munication (over face-to-face communication), which is a medium 
highly exploited for scams. Also, the paper speculates that less hu- 
man contact may make Introvert people less familiar with negative 
experiences of other scam victims. 

However, research is divided on the contribution of some person- 
ality traits to scams. For example, while some work showed that 
people who are agreeable are better equipped to detect lies [10) , in 
other scenario agreeable people were found to be more likely to fall 
for scams [23] . 

1.2 Personality Types and Internet Behavior 

Research into cyber-security has begun to look at how different 
aspects of psychology can affect the end user and therefore com- 
promise Internet security. One existing concern is that the internet 
may replace normal social activities and that people who are pre- 
occupied with the internet may be compensating for loneliness and 
social seclusion. 

A study by Zhou et al 1 30 1 examined the user acceptance of mo- 
bile commerce and found that neuroticism had a negative effect on 
its perceived usefulness. In contrast, research by Wolfradt et al. 
|29| found a high interest in using the internet for communication 
purposes in people who scored high on the neuroticism scale. 

A few studies found gender-based differences in online activity. 
Milne et al 1 22] of online shopping services found that male were 
more likely to engage in risky online activity. On the other hand, 
Byrne et al. found that women were more likely than men to click 
on a link with a coupon even when being warned of a potential 
threat. 

Two studies by Hamburger et al. |2]|13|, which explored the per- 
sonality of heavy internet users, also detected differences between 
the genders. In particular, their research showed that for women, 
neuroticism was positively related to loneliness, while for men, the 
correlation was significantly lower. Also, for women, both neu- 
roticism and the feeling of loneliness where positively related to 
the use of social services, while extraversion was negatively related 
to both. For men, the correlation was significantly lower to neu- 
roticism (and was uncorrelated to loneliness). One explanation for 
these results may be that women are more sensitive to their emo- 
tional and social needs and realize the ability of the internet to help 
fill those needs. 

In another research, Schrammel et al. [15] examined if there is 
a relationship between personality traits and disclosure of informa- 
tion online but did not find any correlation between them. However, 
the study found that people who spend more time online provide 
more information on their profile. 

1.3 Phishing Vulnerability 

Phishing is an attack that uses fraudulent electronic mail (email) 
that claims to be from a trustworthy source. The goal of phishing 
emails is to get personal information from the users, such as user 
ID and passwords. The attacker can than use this information to 
impersonate a user and access the user account for financial gain. In 
the last few years there have been a significant increase in Phishing 
and Spear phishing activity, with many of the emails designed to 
target directly their victims in an effort to raise the likelihood that 
the user will respond to the emails. 

The direct damage of phishing is due to the costs of goods or 
money stolen, which has been estimated to be over 1 billion dollars 
|14| . However, the damage also includes overhead to companies 
that get attacked, such as customer service support needed to re- 



spond to user calls. In addition, as people become aware of the 
dangers of phishing, they may avoid performing online purchases 
and online banking, which results in reduced business to companies 
who offer their services online. 

Previous studies of phishing looked into the technical under- 
standing (or the lack of it) that makes people fall for phishing and 
for methods to improve the user ability to detect such attacks. 

Dhamija et al. |8] explored the reasons that people respond to 
phishing attacks. Test participants were shown 20 websites and 
were asked to determine which ones were likely to be authentic and 
which were not. The study found that many of the user were not 
familiar with the technical cues of secure websites. Those users 
either did not examine the address bar or the status bar, did not 
look for "https" at the beginning of the website address nor looked 
for the padlock sign. This implies that standard security indicators 
may not be useful in many cases as users do not understand them or 
neglect to search for them, even when actively trying to determine 
if a site is authentic. 

One of the suggested defenses for phishing is increased educa- 
tion for internet users. However, research into phishing vulnerabil- 
ity (4) shows that education has limited effect on phishing response. 
In this study, Caputo et al. sent three separate phishing emails to 
all workers in a medium-sized company. Each email was sent three 
months after the previous one. Training sessions were conducted 
in-between to raise the people awareness about the dangers and 
signs of phishing emails. The study found the training had a lim- 
ited effect, where over 30% of the participants clicked on each of 
the emails and 10% of the respondents clicked on all three phish- 
ing emails. The study also found that 7% of the participants did not 
click on any of the emails (demonstrating that some people are less 
susceptible than others to fall for phishing attacks). 

Sheng et al. [26] performed a demographic study of phishing 
susceptibility. Their study found that women were more likely to 
fall for phishing (53% of women and 41% of the men fell for the 
phishing experiment). The women in the study had less technical 
expertise, which may account for some of the difference in phish- 
ing response. However, the women did have a higher level of fa- 
miliarity with anti-phishing education, which further supports the 
hypothesis that anti-phishing education may not be a significant 
factor in phishing prevention. 

Our research assumes that responding to phishing, just like re- 
sponding to scams, results from an error of judgment. Our goal is 
to understanding the psychological traits that cause certain people 
to be make such errors. In addition, we seek to see if these correlate 
to other lapses of judgment in online behavior (such as posting data 
on social networks sites). 

The success of a phishing attack depends on users responding 
to it and providing their information. Therefore, understanding the 
psychological reasons for responding to such emails is imperative 
to developing effective defenses against such phishing attacks. 

1.4 Facebook Privacy 

Facebook has become the most popular social networking site, 
with over 900 million users to date. The application allows people 
to post text messages, share photos and put other personal informa- 
tion online, such as birth date, address, work place and other data. 
Users have lists of friends who can also post messages on their 
site. This results in a large amount of personal information shared 
between many users. While privacy settings can be changed on 
Facebook, many users leave their information public to all Face- 
book users or may set them open to viewing by friends and their 
friends. Since the average friends list has 190 people, this results 
in sharing the information with a large number of people. Since 



people may also tag other people (who appear in their pictures), a 
person's private information may also be leaked by other Facebook 
users. Overall, Facebook sharing may result in privacy threats to 
Facebook users, who may not be fully aware of the implications of 
sharing personal and sensitive data. 

While studies into users' online privacy attitude have shown that 
most users are concerned with the way their data will be used jT] 
|20| , research and known examples demonstrate the fact that people 
under-estimate the risks in sharing information online. Facebook 
does not adequately protect user privacy and third-parties actively 
seek information about Facebook users. Privacy International |24| 
examined 21 online service companies and assessed Facebook as 
one of seven sites that pose substantial privacy threats. Egelman 
et al. (9) showed that Facebook users tend to make mistakes when 
choosing their privacy settings, which were likely to result in shar- 
ing information with unintended parties. However, users tend to 
ignore these risks. In a study by Debatin et al., which included 
119 students, Facebook users were found to perceive the benefits 
of sharing information on Facebook as significantly higher than the 
risks associated with sharing this information. This was further 
supported by Govani et al. |12| , who found that users may be will- 
ing to take higher security risks to enjoy the benefit of certain online 
services. This indicates that privacy threats may increase due to the 
fact that many users underestimate or ignore the privacy risks in 
sharing personal information while focusing on the advantages of 
the social network. 

Personality traits are believed to influence the use of social media 
and also have an effect on Internet security awareness. Our research 
examines how the traits affect Facebook-related decision making 
and behavior. Our goal is to detect the characteristics of users who 
may be more susceptible to privacy threats. 

1.4.1 Personality Types and Facebook Use 

A few studies examined the relationship between personality traits 
and Facebook related behavior. Most research has focused on the 
hypothesis that real-world personality is most likely expressed in 
the cyber- world in a similar way. In [llj, Gosling et al. found 
that extraversion is related to the frequency of Facebook use and 
engagement with the site. This suggests that the users on-line per- 
sonality is directly related to their off-line personality. In another 
research, Qaurcia et al. 17) also found that the number of friends 
users have on Facebook was directly related to extraversion, while 
no significant relationship was found to other personality traits. 

1.5 Big Five Framework 

Personality is a consistent pattern of how people respond to stim- 
uli in their environment and their attitude towards different events. 
The five factor model of personality assessment is currently one 
of the most widely used multidimensional measures of personality 
|21| . Its goal is to encapsulate personality into five distinct factors 
which allow a theoretical conceptualization of people's personal- 
ity. These dimensions are Neuroticism, Extroversion, Openness, 
Agreeableness, and Conscientiousness. One of the most widely 
used measures of this five factor model was developed by Costa and 
McCrae and is called the NEO-PI FFM test (6). This is a short 60 
question test that allows for relatively quick, reliable, and accurate 
measurement of participants personality across these five major di- 
mensions of personality. This model is considered superior to other 
models in capturing the common elements of personality traits and 
providing a precise personality structure description (28). 

Studies demonstrate that the five factors manifest themselves in 
certain patterns of behavior, and are found in different age, gender 
and race groups. In addition, there is evidence that the traits are 



hereditary, which suggests an underlying biological basis 1 16|. The 
advantages of the model led to its integration in a wide array of 
previous personality traits-based studies in different fields, includ- 
ing employment |25 | and education [3]. The framework has been 
identified as a robust model for understanding the relationship be- 
tween personality and various academic behaviors. Our research 
sets to examine if this relationship extends to online security and 
privacy-related behavior. 

Determining the personality factors that contribute to vulnera- 
bility to phishing attacks as well as privacy threats is an important 
step towards improving online security. This can help in creating 
customized defenses to improve user awareness and protect people 
who may be more vulnerable to such privacy and security attacks. 

1.6 Overview of Contributions 

In this work, we try to identify personality traits that cause higher 
vulnerability to phishing attacks. We examine the correlation to 
social networks activity and try to see if we can identify personality 
traits that may cause privacy threats. 

This research is the first one we know of that correlates between 
phishing, personality traits and Facebook activity. We also examine 
the correlation to other factors, such as gender, general online usage 
characteristics and online pessimism. 

Our research shows that certain personality traits are more likely 
to be associated with vulnerability to phishing attacks as well as 
with online information sharing on social networks site. 

2. OVERVIEW OF OUR EXPERIMENTS 

2.1 Methodology 

Participants were 100 students drawn from a psychology class 
at a small Northeastern engineering college. Students participated 
for extra credit and were told that this was primarily a study on 
Internet usage and beliefs. There were 83 males and 17 female. 
Students ranged from 18 to 31 with an average age of 21.17 years 
with two student choosing to to disclose their age. Students ranged 
in a variety of different majors but were primarily in the science 
and engineering disciplines 

2.2 Personal questionnaire, personality traits 
and Facebook activity 

In the first part of the experiment, the students were given a link 
to an online questionnaire and were asked to fill it within a week. 
The reason the questionnaire was put online was to prevent in-class 
interaction that may affect the results. 

The questionnaire included three parts: A personal questions 
part, which included the users email, age, academic and work back- 
ground information. It also included an online activity section. In 
this section, the users were first asked to assess as a 7-point scale 
(from 1 = not very likely to 7 = definitely) their online activity and 
their estimate of the probability of bad consequences happening to 
them online. They were also asked about the types of data they 
put on their Facebook account, the number of photos and posts 
they post online and their privacy settings. In the last part of the 
questionnaire, the users filled the short version of the NEO-FFM 
personality characteristics test. 

2.3 Technical Details 

The questionnaire was hosted online on Heroku and the results 
were processed using the SPSS software. For correlation calcula- 
tions, we used the Bi-variate Pearson two-tailed correlation. 



2.4 Personality Traits 

We calculated the Five Factor Model personality traits according 
to the questionnaire. We then used the different personality traits 
- Openness, Conscientiousness, Extraversion, Agreeableness and 
Neuroticism - and evaluated their correlation to other test variables. 

2.5 Internet usage, pessimism and addiction 

We asked a list of questions regarding internet usage and pes- 
simism. The questions were mixed together. Some of the ques- 
tions were related to internet usage, while the others were related 
to internet pessimism. The questions related to internet pessimism 
required the user to assess the likelihood that a negative event will 
happen to him online (for example, that his password will be stolen). 
To evaluate the internet usage, we added the values of all the 'us- 
age' questions for the internet questionnaire section. To evaluate 
the internet pessimism, we added all the values of the 'pessimism' 
questions and created one combined value. 

We also asked eight questions which correspond to users being 
preoccupied with the internet, giving a measure of internet addic- 
tion. The positive answers to these questions were added to create 
one variable which correlates to users being addicted to online ac- 
tivity. 

2.6 Phishing 

In this part of the test, the email addresses provided to us by the 
students in the questionnaire were used. An email was sent to the 
users promising an Apple product to the first users to click the link. 
The email had a few typical characteristics of a phishing email, 
including the "from" field not matching the actual address (which 
the users would see if they put their mouse on the field). The link 
also showed a text which did not match the actual link address. 
In addition, the email contained spelling mistakes and asked for 
immediate action, which is typical of phishing emails. 

The users that did click on the link were forwarded to a screen 
that looked like a typical Polytechnic screen. However, the actual 
html address was: 

http://alphanext.phpfogapp.com/data_list/index.php?id=394327 
The users who clicked on the login button were then considered to 
be phished. To maintain confidentiality, our system only kept the 
data regarding who was phished but not the actual username and 
passwords. 

Our phishing email was clearly a "prize scam" email. The email 
employed a few psychological techniques, meant to get the users 
to respond. The email seemed to come from an authority ("CSAW 
services", where CSAW is a yearly competition held by the Poly- 
technic University security group). The email requested an imme- 
diate response (which reduces the motivation for thorough consid- 
eration and is likely to increase impulsive response). The email 
also triggered visual processing, by mentioning the prize and that 
the product will be distributed to students (therefore seems "per- 
sonalized" to the University students). 

A copy of the original phishing email with the phishing charac- 
teristics can be found in Figure[TJ 

2.7 Facebook Activity 

To correlate the Facebook activity with the personality traits, we 
calculated the following: We asked the test participants what kind 
of data they put on Facebook. The users were asked about 14 dif- 
ferent types of personal data, including age, address, phone number 
and other personal information. When examining the entered data, 
we create variables that reflect the data types the user puts on Face- 
book - where the variable gets the value 1 if the user puts the cor- 
responding data on Facebook and otherwise. We then added the 



Apple Products 

from CSAWSeiwcss + 



/ 



Text mismatches actual link 



Hide Details 
Saturday, Hay 12, 2012 9.50 AM 



i data_list_service@yahoo.com 



With the semester ending the C SAW program is happy to announce that it has a very limited number of extra Apple products that 
were purchased and not used. If they are not disposed off to students thev must be returned We are raffling them off so respond as 
soon as possible (No later than this Thursday). You have been preslected to be part of this drawing. 
Please click on the following link and provid-^equ-sted^j_tormatio"_i7^ "* IJJ — - Spelling mistakes 

http:/ /csawdatasemces . edu < 

CSAW Data Servicer. http://bit.ly/K2uTYS 



Text mismatches actual link 



Figure 1: Phishing email 



values of all the variables to create one 'Facebook data' combined 
variable. 

We also used the log value of the number of posts and the log 
value of the number of images the users put on Facebook as sepa- 
rate variables. These give a measure of the amount of activity the 
user actually engages in on Facebook. To calculate the updated 
variables, we used the following calculation: 

FB posts = log 10 (Total Entries + 0.001) 

The same calculation was computed for the total Facebook photos. 

To evaluate the privacy settings, we gave a weight of to 3 to 
each privacy setting, where correlates to allowing nobody to see 
the related Facebook parameter and 3 correlates to everybody be- 
ing able to see these. We then added these values for the different 
parameters to create a combined variable for the Facebook privacy 
settings. 

3. RESULTS AND DISCUSSION 

Our results showed all 100 test participants filled the question- 
naire. Some of the students filled the questionnaire twice. All du- 
plicate entries were removed from the database. 

3.1 Phishing 

Our experiment showed that 17% of our users were phished. The 
most obvious parameter correlated to the phishing was gender. Out 
of our test participants, 14% of the men were phished and 53% 
of the women were phished. While a similar trend was found in 
prior research (26), our results show a significantly higher differ- 
ence between the percentage of women and men phished. Previ- 
ous research (5 1 found that women tend to use text messages more 
as well as shop online more. This further demonstrates the fact 
that women feel more comfortable with digital communication and 
may be more inclined to reply to emails with commercial offers or 
prizes. Since our email was a prize offer, this may further contribute 
to the large difference in response to our phishing email between 
women and men. 

We further tested the correlation between personality traits and 
being phished. For the women, we found a very high correlation to 
neuroticism. For the men, there was no correlation to any personal- 
ity trait. The full results which show the correlation for the women 
can be found in Table[T| We hypothesize that one of the reasons for 
this difference may be that women feel more comfortable admitting 



| Correlation | R Square 
Phished I !448 I 0.201 



Table 2: Linear regression of phishing and Facebook activity 
(women) 



fears (which many of the questions used to measure neuroticism 
are related to). These results seem to support the hypothesis that 
women are more sensitive to their emotional needs and tend to be- 
lieve the internet may have the ability to fill those needs. That fact, 
together with the fact that the email was a prize phishing email, 
seem to provide a combination that may make women significantly 
more susceptible to phishing attacks. 

Another question we are attempting to examine is: Can we pre- 
dict the probability of being phished based on Facebook activity? 
To examine this, we ran a linear regression test, trying to predict 
Phishing vulnerability based on the four Facebook variables: Types 
of data posted, number of posts, number of photos and privacy set- 
tings. Our results appear in Table [2] This result point to the fact 
that there is a correlation between Facebook activity and phishing 
response. This indicates that being more active in online social net- 
works may cause higher susceptibility to such attacks. Therefore, 
people who feel more comfortable with online communication and 
expressing themselves online may also be more likely to respond 
to phishing emails. 

3.1.1 Predicting Phishing 

We also found that people are not good at estimating their vul- 
nerability to internet attack. One of the questions we asked our test 
subject is how do they rate the likelihood of their passwords being 
stolen. When correlating their responses to the people who were 
phished, we found the answers were uncorrelated. Further, we only 
see a low correlation between general internet pessimism and the 
likelihood of being phished. This further shows that people are not 
fully aware of the potential internet threats and their ability to avoid 
phishing attacks. 

We also asked the users about their computer expertise. We 
found that there is no correlation between general computer ex- 
pertise and the ability to detect email attacks. The correlations can 
be seen in Table_3] 





Flushed 


Usage 


Pessimism 


Addiction 


Neuroticism 


.501* 


-.161 


-.308 


.464 


Extraversion 


-.330 


.064 


.013 


-.282 


Openness 


.357 


.090 


.164 


-.173 


Agreeableness 


-.057 


-.424 


-.226 


-.071 


Conscientiousness 


-.034 


.220 * 


.187 


-.630** 


Usage 


.177 


1 


.828** 


.009 


Pessimism 


.148 


.828** 


1 


.054 


Addiction 


.043 


.009 


.054 


1 



* - Correlation is significant at the 0.05 level (2-tailed). 
** - Correlation is significant at the 0.01 level (2-tailed). 

Table 1: Phishing and personality factors correlation for women 



This finding suggests that to understand phishing susceptibility, 
it is preferable to conduct studies in which the users are being 
phished (vs. asking people to look at phishing emails and detect 
that look suspicious). It raises the likelihood that the susceptibility 
of people to phishing results from failing to consider the possibil- 
ity that an email may be phishing, but rather concentrating on the 
potential for gain (prize). 





Phished 


Pessimism 


Est. Risk 


Expert. 


Pessimism 


.135 


1 


.725** 


-0.54 


Est. Risk 


-.029 


.725** 


1 


0.100 


Expertise 


-.044 


-.054 


0.100 


1 





Usage 


Pessimism 


Addiction 


Neuroticism 


.009 


.180 


.426** 


Extraversion 


.116 


-.048 


-.043 


Openness 


-.019 


.004 


.055 


Agreeableness 


-.053 


-.111 


-.042 


Conscientiousness 


.186 


.025 


-.241* 


Usage 


1 


.684** 


-.009 


Pessimism 


.684** 


1 


.078 


Addiction 


-.009 


.078 


1 



* - Correlation is significant at the 0.05 level (2-tailed). 
** - Correlation is significant at the 0.01 level (2-tailed). 



* - Correlation is significant at the 0.05 level (2-tailed). 
** - Correlation is significant at the 0.01 level (2-tailed). 

Table 3: Phishing results correlated to Pessimism and esti- 
mated risk (all test participants) 



3.2 Internet usage, pessimism and addiction 

We found that people who use the internet more are also more 
aware of its risks. They regarded the likelihood of something bad 
happening to them online higher than the people who use it less. 
This tends to show that people who spend more time online do be- 
come aware of the fact that the internet poses threats to user privacy. 
We also found that internet addiction was highly correlated to neu- 
roticism: (Correlation = 0.426). This is intuitive as people with 
high neuroticism level tend to become more vulnerable to different 
addictions. We further see that internet addiction is inversely cor- 
related to conscientiousness. This is similar to correlations found 
in previous study for substance abuse addiction [18|. This demon- 
strates that people who are likely to be vulnerable to other addic- 
tions may also be vulnerable to internet addiction, which may be 
experienced as a safe activity that provides relief from stress. The 
correlation can be seen in Table|4] 

We also examined the correlation between internet behavior and 
Facebook activities. As expected, we found that people who use 
the internet more also tend to use Facebook more, posting more 
data and photos on it. People who are more pessimistic about the 
internet and estimate its risks higher were found on average to post 
more messages as well as photos to Facebook. This supports the 
hypothesis that people who actually use the internet more are more 



Table 4: Internet behavior correlation to personality factors 



aware of its dangers. In addition, participants who are more pre- 
occupied with the internet (rate higher on the addiction scale) also 
tend to put more data on Facebook. 





Usage 


Pessimism 


Addiction 


FB Data 


.160 


.160 


.203* 


FB photos 


.234* 


.199* 


.094 


Total Posts 


.241* 


.162 


.062 


Privacy Settings 


.072 


.072 


.122 



* - Correlation is significant at the 0.05 level (2-tailed). 
** - Correlation is significant at the 0.01 level (2-tailed). 

Table 5: Internet behavior correlation to FB activity 



3.3 Facebook Activity 

We also examine the Facebook activity correlation to person- 
ality traits. As expected, we found that Facebook activity corre- 
lates to openness, which was correlated with both the data types 
the users put on Facebook as well as the number of posts and im- 
ages. Also, openness was correlated with looser Facebook privacy 
settings. Our tests did not show significant difference between the 
Facebook activity of men and women. Another observation was 
that Facebook activity is directly correlated to the Facebook pri- 
vacy settings - people who are more active on Facebook also tend to 





No FB account 


Neuroticism 


-.070 


Extraversion 


-.170 


Openness 


-.301** 


Agreeableness 


-.118 


Conscientiousness 


-.127 



* - Correlation is significant at the 0.05 level (2-tailed). 
** - Correlation is significant at the 0.01 level (2-tailed). 

Table 7: Correlation between user with no Facebook account 
and personality factors 



have looser privacy settings (less restricted). The full results can be 
seen in Table[6] These results indicate people who put more infor- 
mation on Facebook have significantly higher risk of privacy leaks, 
as they also tend to share this information with significantly more 
people. This suggests Facebook users who enjoy using the applica- 
tion fail to consider its privacy leak risks while focusing mainly on 
its advantages. 

3.4 Users without Facebook accounts 

Within our test population, we found that a small group of 12 test 
objects had no Facebook account. Inspection of the group showed 
they were all men and none of them were phished. Examining the 
Five Factor Model variables, we found that the highest inverse cor- 
relation for people in this group was to openness while there was 
also a lower inverse correlation to extraversion. The correlation be- 
tween the non-Facebook users and the personality traits can be seen 
in Table |7] 

The results suggest there are certain participants that manifest 
their off-line personal traits (scoring lower on openness and ex- 
traversion) in their online activity as well and are not interested in 
social networks. This further suggests that people who do not feel 
comfortable with social online activity may also be less likely to 
fall victims to online phishing attacks. 

4. CONCLUSIONS AND FUTURE WORK 

Our research examines the factors that may contribute to sus- 
ceptibility to online security and privacy attacks. We look at the 
correlation between personality traits and phishing email response. 
We further examine the correlation between online behavior and 
probability of being phished. 

Our findings have important implications, as they confirm that 
certain personality traits may cause higher phishing vulnerability. 
Specifically, we found that women tend to be more susceptible 
to prize phishing attacks than men. In particular, we saw a high 
correlation between neurosis and responding to phishing attacks. 
This suggests phishing defenses should be tailored towards people 
who score high on certain personality traits, specifically in cases of 
phishing emails that seem to offer financial gain (such as prizes). 

We also see that Facebook activity can be a predictor of vulner- 
ability to phishing. This can be useful in designing defenses for 
specific demographics (for example, a defense may be designed as 
a Facebook application). 

Our work also finds that people who are more engaged with 
Facebook activity (posting more messages and photos) also have 
less restrictive privacy settings and therefore may be more vulnera- 
ble to privacy threats. This suggests people who focus more on the 
benefits of Facebook tend to ignore its risks, a factor that should be 



considered when attempting to raise awareness about privacy leaks 
through user education. 

Future work should concentrate on email phishing attacks with 
different email types. The emotional motivations for responding to 
different email types may be different. Therefore, finding which 
personality factors are correlated to the different types will be use- 
ful in future design of defenses for online attacks. 

5. ACKNOWLEDGMENTS 

This work was supported in part by the NSF (under grant 0966 1 87). 
The views and conclusions contained in this document are those of 
the authors and should not be interpreted as necessarily represent- 
ing the official policies, either expressed or implied, of any of the 
sponsors. 

6. REFERENCES 

[1] M. S. Ackerman, L. F. Cranor, and J. Reagle. Privacy in 
E-Commerce: Examining User Scenarios and Privacy 
Preferences. ACM Conference on Electronic Commerce, 
pages 1 - 8, 1999. 

[2] Y. Amichai-Hamburger and E. Ben-Artzi. Loneliness and 
Internet use. Computers in Human Behavior, 19(1):71 - 80, 
lanuary 2003. 

[3] V. V. Busato, F. J. Prins, J. J. Elshout, and C. Hamaker. The 
relation between learning styles, the Big Five personality 
traits and achievement motivation in higher education. 
Personality and Individual Differences, 26: 129-140, 1999. 

[4] D. D. Caputo. Leveraging Human Behavior to Reduce Cyber 
Security Risk: Spear-Phishing Study Design, Results and 
Discussion, http://www.thei3p.org/docs/events/ 
humanbehaviorworkshoplOl 1/deannaspearphishing.pdf, 
2011. 

[5] M. Charts. Women Text, Shop Online More than Men. 

http://www.marketingcharts.com/direct/women-text-shop- 

online-more-than-men- 1 664 1/. 
[6] P. Costa and R. R. McCrae. NEO PI-R professional manual. 

Psychological Assessment Resources, Inc, Odessa, FL, 1992. 
[7] D. Querciax and R. Lambiottez and D. Stillwell and M. 

Kosinskiy and J. Crowcroft. The personality of popular 

facebook users. Proceedings of the ACM 2012 conference on 

Computer Supported Cooperative Work ( CSCW), pages 

955-964,2012. 
[8] R. Dhamija, J. D. Tygar, and M. Hearst. Why Phishing 

Works. Proceedings of the SIGCHI conference on Human 

Factors in computing systems (CHI), pages 581-590, 2006. 
[9] S. Egelman, A. Oates, and S. Krishnamurthi. Oops, I did it 

again: mitigating repeated access control errors on facebook. 

Proceedings of the 2011 annual conference on Human 

factors in computing systems (CHI), 2011. 
[10] F. Enos, S. Benus, R. L. Cautin, M. Graciarena, 

J. Hirschberg, and E. Shriberg. Personality Factors in Human 

Deception Detection: Comparing Human to Machine 

Performance. INTERSPEECH - ISLP, 2006. 
[11] S. D. Gosling, A. A. Augustine, S. Vazire, N. Holtzman, and 

S. Gaddis. Manifestations of Personality in Online Social 

Networks: Self-Reported Facebook-Related Behaviors and 

Observable Profile Information. Cyberpsychology, Behavior, 

and Social Networking, 14:483-488, 9 2011. 
[12] T. Govani and H. Pashley. Student Awareness of the Privacy 

Implications When Using Facebook. 

"http://lorrie.cranor.org/courses/fa05/tubzhlp.pdf". 





FB Data 


FB photos 


FB Posts 


Privacy 


Neuroticism 


L .103 


.017 


.108 


.105 


Extraversion 


.182 


.191 


.134 


.093 


Openness 


.306** 


.249* 


.155 


.251* 


Agreeableness 


.005 


.081 


.096 


.111 


Conscientiousness 


-0.003 


.187 


.116 


.046 


FB Data 


1 


.744** 


.659** 


.696** 


FB photos 


.744** 


1 


.774** 


.763** 


FB Posts 


.659** 


.774** 


1 


.723** 


Privacy 


.696** 


.763** 


.723** 


1 



* - Correlation is significant at the 0.05 level (2-tailed). 
** - Correlation is significant at the 0.01 level (2-tailed). 

Table 6: Facebook data correlation to personality factors 



[13] Y. A. Hamburger and E. Ben-Artzi. The relationship between 
extraversion and neuroticism and the different uses of the 
Internet. Computers in Human Behavior, 16(4):441aA§449, 
July 2000. 

[14] M. Jakobsson and S. Myers. Phishing and Countermeasures: 

Understanding the Increasing Problem of Electronic Identity 

Theft. Wiley-Interscience, December 2006. 
[15] C. K. Johann Schrammel and M. Tschelig. Personality 

Traits, Usage Patterns and Information Disclosure in Online 

Communities. Proceedings ofHCI, September 2009. 
[16] P. T. C. Jr and R. R. McCrae. Four ways five factors are 

basic. Personality and Individual Differences, 

13(6):653aA§665, June 1992. 
[17] D. Kahneman and A. Tversky. Prospect Theory: An Analysis 

of Decision under Risk. Econometrica, March 1979. 
[18] H. KornAyr and H. Nordvik. Five-factor model personality 

traits in opioid dependence. 

"http://www.biomedcentral.com/147 1-244X/7/37", 2007. 
[19] J. Langenderfer and T. Shimp. Consumer vulnerability to 

scams, swindles, and fraud: A new theory of visceral 

influences on persuasion. Psychology and Marketing, 2001. 
[20] Lorrie Faith Cranor and Joseph Reagle and Mark S. 

Ackerman . Beyond Concern: Understanding Net Users' 

Attitudes About Online Privacy . 

http://arxiv.org/html/cs/9904010/report.htm. 
[21] R. R. McCrael and O. P. John. An Introduction to the 

Five-Factor Model and Its Applications. Journal of 

Personality, 60(2):175aAS215, June 1992. 
[22] G. R. Milne, L. I. Labrecque, and C. Cromer. Toward an 

Understanding of the Online ConsumeraAZs Risky Behavior 

and Protection Practices,. Journal of Consumer Affairs, 

43(3):449aAS473, 2009. 
[23] D. Modicl and S. E. Leal. How neurotic are scam victims, 

really? The big five and Internet scams. Security and Human 

Behavior, 2012. 
[24] Privacy International. A Race to the Bottom: Privacy 

Ranking in Internet Service Companies aA§ A Consultation 

Report, https://www.privacyinternational.org/article/ 

race-bottom-privacy-ranking-internet-service-companies, 

June 2007. 

[25] S. Rothmann and E. P. Coetzer. The Big Five Personality 
Dimensions and Job Performance. Journal of Industrial 
Psychology, 29(1):68 - 74, 2003. 



[26] S. Sheng, M. Holbrook, P. Kumaraguru, L. Cranor, and 
J. Downs 1. Who Falls for Phish? A Demographic Analysis 
of Phishing Susceptibility and Effectiveness of Interventions. 
Proceedings of the SIGCHI conference on Human Factors in 
computing systems (CHI), pages 373-382, 2010. 

[27] University of Exeter School of Psychology. The psychology 
of scams: Provoking and committing errors of judgement. 
http://www.oft.gov.uk/shared_oft/reports/ 
consumer_protection/oftl070.pdf. 

[28] T. A. Widiger. Five factor model of personality disorder: 
Integrating science and practice. Journal of Research in 
Personality, 39(l):67aAS83, February 2006. 

[29] U. Wolfradt and J. Doll. Motives of adolescents to use the 
Internet as a function of personality traits, personal and 
social factors. Journal of Educational Computing Research, 
24(l):13-27, 2001. 

[30] T. Zhou and Y. Lu. The Effects of Personality Traits on User 
Acceptance of Mobile Commerce. International Journal of 
Human- Computer Interaction, 27(6):545-561, June 2011. 



